Integrating Boolean and Mathematical Solving:Foundations, Basic Algorithms and

Requirements ?

Gilles Audemard12, Piergiorgio Bertoli1, Alessandro Cimatti1,Artur Korni lowicz13, and Roberto Sebastiani14

1 ITC-IRST, Povo, Trento, Italy{audemard,bertoli,cimatti,kornilow}@itc.it2 LSIS, University of Provence, Marseille, France

3 Institute of Computer Science, University of Bia lystok, Poland4 DIT, Universita` di Trento, Povo, Trento, Italy

roberto.sebastiani@dit.unitn.it

Abstract. In the last years we have witnessed an impressive advancein the efficiency of boolean solving techniques, which has brought largepreviously intractable problems at the reach of state-of-the-art solvers.Unfortunately, simple boolean expressions are not expressive enough forrepresenting many real-world problems, which require handling also in-teger or real values and operators. On the other hand, mathematicalsolvers, like computer-algebra systems or constraint solvers, cannot han-dle efficiently problems involving heavy boolean search, or do not handlethem at all. In this paper we present the foundations and the basic al-gorithms for a new class of procedures for solving boolean combinationsof mathematical propositions, which combine boolean and mathemati-cal solvers, and we highlight the main requirements that boolean andmathematical solvers must fulfill in order to achieve the maximum ben-efits from their integration. Finally we show how existing systems arecaptured by our framework.

1 Motivation and goals

In the last years we have witnessed an impressive advance in the efficiency ofboolean solving techniques (SAT), which has brought large previously intractableproblems at the reach of state-of-the-art solvers. 1 As a consequence, somehard real-world problems have been successfully solved by encoding them intoSAT. Propositional planning [KMS96] and boolean model-checking [BCCZ99]are among the best achievements.? This work is sponsored by the CALCULEMUS! IHP-RTN EC project, contract

code HPRN-CT-2000-00102, and has thus benefited of the financial contribution ofthe Commission through the IHP programme.

1 SAT procedures are commonly called solvers in the SAT community, although thedistinction between solving, proving and computing services may suggest to call themprovers.

Unfortunately, simple boolean expressions are not expressive enough for rep-resenting many real-world problems. For example, problem domains like tem-poral reasoning, resource planning, verification of systems with numerical dataor of timed systems, require handling also constraints on integer or real quanti-ties (see, e.g., [ACG99,WW99,CABN97,MLAH01]). Moreover, some problem do-mains like model checking often require an explicit representation of integers andarithmetic operators, which cannot be represented efficiently by simple booleanexpressions (see, e.g., [CABN97,MLAH01]). On the other hand, mathematicalsolvers, like computer-algebra systems or constraint solvers, cannot handle ef-ficiently problems involving heavy boolean search, or do not handle them atall.

In 1996 we have proposed a new general approach to build domain-specificdecision procedures on top of SAT solvers [GS96,GS00]. The basic idea wasto decompose the search into two orthogonal components, one purely proposi-tional component and one boolean-free domain-specific component and to usea (modified) Davis Putnam Longemann Loveland (DPLL) SAT solver [DLL62]for the former and a pure domain-specific procedure for the latter. So far theSAT based approach proved very effective in various problem domains like, e.g.,modal and description logics [GS00], temporal reasoning [ACG99], resource plan-ning [WW99].

In this paper we present the foundations and the basic algorithms for a newclass of procedures for solving boolean combinations of mathematical proposi-tions, which integrate SAT and mathematical solvers, and we highlight the mainrequirement SAT and mathematical solvers must fulfill in order to achieve themaximum benefits from their integration. The ultimate goal is to develop solversable to handle complex problems like those hinted above.

The paper is structured as follows. In Section 2 we describe formally theproblem we are addressing. In Section 3 we present the logic framework onwhich the procedures are based. In Section 4 we present a generalized searchprocedure which combine boolean and mathematical solvers and introduce someefficiency issues. In Section 5 we highlight the main requirements that booleanand mathematical solvers must fulfill in order to achieve the maximum benefitsfrom their integration. In Section 6 we briefly describe some existing systemswhich are captured by our framework,and our own implemented procedure.

For lack of space, in this paper we omit the proofs of all the theoretical resultspresented, which can be found in [Seb01].

2 The problem

We address the problem of checking the satisfiability of boolean combinations ofprimitive and mathematical propositions. Let D be the domain of either integernumbers Z or real numbers R, with the respective set OPD of arithmetical op-erators {+,, , /,mod} or {+,, , /} respectively. Let {,>} denote the falseand true boolean values. Given the standard boolean connectives {,} andmath operators {=, 6=, >,

propositions, let C = {c1, c2, . . .} and V = {v1, v2, . . .} respectively be a set ofnumerical constants in D and variables over the D.

We call Math-terms the mathematical expressions built up from constants,variables and arithmetical operators over D:

a constant ci C is a Math-term; a variable vi V is a Math-term; if t1 is a Math-term, then t1 is a Math-term; if t1, t2 are Math-terms, then (t1 t2) is a Math-term, OPD.

We call Math-formulas the mathematical formulas built on primitive propo-sitions, Math-terms, operators and boolean connectives:

a primitive proposition Ai A is a Math-formula; if t1, t2 are Math-terms, then (t1 ./ t2) is a Math-formula, ./ {=, 6=, >, 5) areMath-formulas. 2

Notationally, we use the lower case letters t, t1, ... to denote Math-terms,and the Greek letters , , , to denote Math-formulas. We use the standardabbreviations, that is: 1 2 for (1 2), 1 2 for (1 2), 1 2 for (12)(21), > for any valid formula, and for >. When this does not cause ambiguities, we use the associativityand precedence rules of arithmetical operators to simplify the appearance ofMath-terms; e.g, we write (c1(v2 v1) c1v3 + c3v4) instead of (((c1 (v2 v1)) (c1 v3)) + (c3 v4)).

We call interpretation a map I which assigns D values and boolean values toMath-terms and Math-formulas respectively and preserves constants and arith-metical operators:3

I(Ai) {>,}, for every Ai A; I(ci) = ci, for every ci C; I(vi) D, for every vi V; I(t1 t2) = (I(t1) ID(t2)), for all Math-terms t1, t2 and OPD.2 The assumption that the domain is the whole Z or R is not restrictive, as we can re-

strict the domain of any variable vi at will by adding to the formula some constraintslike, e.g., (v1 6= 0.0), (v1 5.0), etc.

3 Here we make a little abuse of notation with the constants and the operators inOPD. In fact, e.g., we denote by the same symbol + both the language symbol inID(t1 + t2) and the arithmetic operator in (ID(t1) + ID(t2)). The same discourseholds for the constants ci C and also for the operators {=, 6=, >,

The binary relation |= between a interpretation I and a Math-formula , writtenI |= (I satisfies or I satisfies ) is defined as follows:

I |= Ai, Ai A I(Ai) = >;I |= (t1 ./ t2), ./ {=, 6=, >,, I(v1) = 1.1, and I(v2) = 0.6. Forevery 1 and 2, we say that 1 |= 2 if and only if I |= 2 for every I suchthat I |= 1. We also say that |= ( is valid) if and only if I |= for every I.It is easy to verify that 1 |= 2 if and only if |= 1 2, and that |= if andonly if is unsatisfiable.

3 The formal framework

3.1 Basic definitions and results

Definition 1. We call atom any Math-formula that cannot be decomposed propo-sitionally, that is, any Math-formula whose main connective is not a booleanoperator. A literal is either an atom (a positive literal) or its negation (anegative literal).

Examples of literals are, A1, A2, (v1 + 5.0 2.0v3), ((2v1 mod v2) > 5). Ifl is a negative literal , then by l we conventionally mean rather than. We denote by Atoms() the set of atoms in .

Definition 2. We call a total truth assignment for a Math-formula aset

= {1, . . . , N ,1, . . . ,M , A1, . . . , AR,AR+1, . . . ,AS}, (1)such that every atom in Atoms() occurs as either a positive or a negative literalin . A partial truth assignment for is a subset of a total truth assignmentfor . If 2 1, then we say that 1 extends 2 and that 2 subsumes 1.

A total truth assignment like (1) is interpreted as a truth value assignment toall the atoms of : i means that i is assigned to >, i means that iis assigned to . Syntactically identical instances of the same atom are alwaysassigned identical truth values; syntactically different atoms, e.g., (t1 t2) and(t2 t1), are treated differently and may thus be assigned different truth values.

Notationally, we use the Greek letters , to represent truth assignments.We often write a truth assignment as the conjunction of its elements. To thisextent, we say that is satisfiable if the conjunction of its elements is satisfiable.

Definition 3. We say that a total truth assignment for propositionallysatisfies , written |=p , if and only if it makes evaluate to >, that is, forall sub-formulas 1, 2 of :

|=p 1, 1 Atoms() 1 ; |=p 1 6|=p 1; |=p 1 2 |=p 1 and |=p 2.

We say that a partial truth assignment propositionally satisfies if andonly if all the total truth assignments for which extend propositionally satisfy.

From now on, if not specified, when dealing with propositional satisfiability wedo not distinguish between total and partial assignments.

We say that is propositionally satisfiable if and only if there exist an as-signment such that |=p . Intuitively, if we consider a Math-formula asa propositional formula in its atoms, then |=p is the standard satisfiability inpropositional logic. Thus, for every 1 and 2, we say that 1 |=p 2 if andonly if |=p 2 for every such that |=p 1. We also say that |=p ( ispropositionally valid) if and only if |=p for every assignment for . It iseasy to verify that 1 |=p 2 if and only if |=p 1 2, and that |=p if andonly if is propositionally unsatisfiable.

Notice that |=p is stronger than |=, that is, if 1 |=p 2, then 1 |= 2, butnot vice versa. E.g., (v1 v2) (v2 v3) |= (v1 v3), but (v1 v2) (v2 v3) 6|=p (v1 v3).Example 1. Consider the following math-formula :

= {(2v2 v3 > 2) A1} {A2 (2v1 4v5 > 3)} {(3v1 2v2 3) A2} {(2v3 + v4 5) (3v1 v3 6) A1} {A1 (3v1 2v2 3)} {(v1 v5 1) (v5 = 5 3v4) A1} {A1 (v3 = 3v5 + 4) A2}.

The truth assignment given by the underlined literals above is:

= {(2v2v3 > 2),A2, (3v12v2 3), (v1v5 1),(3v1v3 6), (v3 = 3v5+4)}.Notice that the two occurrences of (3v1 2v2 3) in rows 3 and 5 of areboth assigned >. is an assignment which propositionally satisfies , as it setsto true one literal of every disjunction in . Notice that is not satisfiable, asboth the following sub-assignments of

{(3v1 2v2 3),(2v2 v3 > 2),(3v1 v3 6)} (2){(v1 v5 1), (v3 = 3v5 + 4),(3v1 v3 6)} (3)

do not have any satisfying interpretation. 3

Definition 4. We say that a collection M = {1, . . . , n} of (possibly partial)assignments propositionally satisfying is complete if and only if

|=p j

j . (4)

where each assignment j is written as a conjunction of its elements.

M is complete in the sense that, for every total assignment such that |=p ,there exists j M such that j . Therefore M is a compact representationof the whole set of total assignments propositionally satisfying . Notice howeverthat ||M|| is worst-case exponential in the size of , though typically muchsmaller than the set of all total assignments satisfying .

Definition 5. We say that a complete collection M = {1, . . . , n} of assign-ments propositionally satisfying is non-redundant if for every j M,M \ {j} is no more complete, it is redundant otherwise. M is stronglynon-redundant if, for every i, j M, (1 2) is propositionally unsatisfi-able.

It is easy to verify that, if M is redundant, then i j for some i, j, and that,if M is strongly non-redundant, then it is non-redundant too, but the vice versadoes not hold.

Example 2. Let := ( ) ( ), , and being atoms. Then

1. {{, , }, {, ,}, {,, }, {,,}, {, , }, {, ,}} is theset of all total assignments propositionally satisfying ;

2. {{}, {, }, {,}, {, }, {}, {,}, {, }, {, }} is complete but re-dundant;

3. {{}, {}} is complete, non redundant but not strongly non-redundant;4. {{}, {, }} is complete and strongly non-redundant. 3

Theorem 1. Let be a Math-formula and let M = {1, . . . , n} be a completecollection of truth assignments propositionally satisfying . Then is satisfiableif and only if j is satisfiable for some j M.

3.2 Decidability and complexity

Having a Math-formula , it is always possible to find a complete collection ofsatisfying assignments for (see later). Thus from Theorem 1 we have triviallythe following fact.

Proposition 1. The satisfiability problem for a Math-formula over atoms of agiven class is decidable if and only if the satisfiability of sets of literals of thesame class is decidable.

For instance, the satisfiability of a set of linear constraints on R or on Z, or aset of non-linear constraints on R is decidable, whilst a set of non-linear (poly-nomial) constraints on Z is not decidable (see, e.g., [RV01]). Consequently, thesatisfiability of Math-formulas over linear constraints on R or on Z, or over non-linear constraints on R is decidable, whilst the satisfiability of Math-formulasover non-linear constraints over Z is undecidable.

For the decidable cases, as standard boolean formulas are a strict subcaseof Math-formulas, it follows trivially that deciding the satisfiability of Math-formulas is at least as hard as boolean satisfiability.

Proposition 2. The problem of deciding the satisfiability of a Math-formula is NP-hard.

Thus, deciding satisfiability is computationally very expensive. The complexityupper bound may depend on the kind of mathematical problems we are dealing.For instance, if we are dealing with arithmetical expressions over bounded inte-gers, then for every I we can verify I |= in a polynomial amount of time, andthus the problem is also NP-complete.

4 A generalized search procedure

Theorem 1 allows us to split the notion of satisfiability of a Math-formula intotwo orthogonal components:

a purely boolean component, consisting of the existence of a propositionalmodel for ;

a purely mathematical component, consisting of the existence of an inter-pretation for a set of atomic (possibly negated) mathematical propositions.

These two aspects are handled, respectively, by a truth assignment enumeratorand by a mathematical solver.

Definition 6. We call a truth assignment enumerator a total function As-sign Enumerator which takes as input a Math-formula and returns a com-plete collection {1, . . . , n} of assignments satisfying .Notice the difference between a truth assignment enumerator and a standardboolean solver: a boolean solver has to find only one satisfying assignment orto decide there is none while an enumerator has to find a complete collectionof satisfying assignments. (We will show later how some boolean solvers can bemodified to be used as enumerators.)

We say that Assign Enumerator is

strongly non-redundant ifAssign Enumerator() is strongly non-redundant,for every ,

non-redundant if Assign Enumerator() is non-redundant for every , redundant otherwise.

boolean Math-SAT(formula , assignment & , interpretation & I)do

:= Next(Assign Enumerator()) /* next in {1, ..., n} */if ( 6= Null)

I :=MathSolver();while ((I = Null) and ( 6= Null))if (I 6= Null)then return True; /* a D-satisfiable assignment found */else return False; /* no D-satisfiable assignment found */

Fig. 1. Schema of the generalized search procedure for D-satisfiability.

Definition 7. We call a mathematical solver a total function MathSolverwhich takes as input a set of (possibly negated) atomic Math-formulas andreturns an interpretation satisfying , or Null if there is none.

The general schema of a search procedure for satisfiability is reported inFigure 1. Math-SAT takes as input a formula and (by reference) an initiallyempty assignment and an initially null interpretation I. For every assignment in the collection {1, .., n} generated byAssign Enumerator(),Math-SATinvokes MathSolver over , which either returns a interpretation satisfying ,or Null if there is none. This is done until either one satisfiable assignment isfound, or no more assignments are available in {1, ..., n}. In the former case is satisfiable, in the later case it is not.

Math-SAT performs at most ||M|| loops. Thus, if every call to Math-Solver terminates, then Math-SAT terminates. Moreover, it follows from The-orem 1 that Math-SAT is correct and complete if MathSolver is correct andcomplete. Notice that, it is not necessary to check the whole set of total truthassignments satisfying , rather it is sufficient to check an arbitrary complete col-lection M of partial assignments propositionally satisfying , which is typicallymuch smaller.

It is very important to notice that the search procedure schema of Figure 1 iscompletely independent on the kind of mathematical domain we are addressing,once we have a mathematical solver for it. This means that the expressivity ofMath-SAT, that is, the kind of math-formulas Math-SAT can handle, dependsonly on the kind of sets of mathematical atomic propositions MathSolver canhandle.

4.1 Suitable Assign Enumerators

The following are the most significant boolean reasoning techniques that we canadapt to be used as assignment enumerators.

Fig. 2. OBDD, Tableau search graph and DPLL search graph for the formula () ( ).

DNF. The simplest technique we can use as an enumerator is the DisjunctiveNormal Form (DNF) conversion. A propositional formula can be convertedinto a formula DNF () by (i) recursively applying DeMorgans rewriting rulesto until the result is a disjunction of conjunction of literals, and (ii) removingall duplicated and subsumed disjuncts. The resulting formula is normal, in thesense that DNF () is propositionally equivalent to , and that propositionallyequivalent formulas generate the same DNF modulo reordering.

By Definition 4, we can see (the set of disjuncts of) DNF () as a com-plete and non-redundant but not strongly non-redundant collection of as-signments propositionally satisfying . For instance, in Example 2, the set ofassignments at point 2. and 3. are respectively the results of step (i) and (ii)above.

OBDD . A more effective normal form for representing a boolean formula ifgiven by the Ordered Binary Decision Diagrams (OBDDs) [Bry86], which areextensively used in hardware verification and model checking. Given a totalordering v1, ..., vn on the atoms of , the OBDD representing (OBDD())is a directed acyclic graph such that (i) each node is either one of the twoterminal nodes T, F , or an internal node labeled by an atom v of , with twooutcoming edges T (v) (v is true) and F (v) (v is false), (ii) each arc vi vj is such that vi < vj in the total order. If a node n labeled with v is theroot of OBDD() and n1, n2 are the two son nodes of n through the edgesT (v) and F (v) respectively, then n1, n2 are the roots of OBDD([v = >]) andOBDD([v = ]) respectively. A path from the root of OBDD() to T [resp.F ] is a propositional model [resp. counter-model] of , and the disjunction ofsuch paths is propositionally equivalent to [resp. ].

Thus, we can see OBDD() as a complete collection of assignments propo-sitionally satisfying . As every pair of paths differ for the truth value of atleast one variable, OBDD() is also strongly non-redundant. For instance, inFigure 2 (left) the OBDD of the formula in Example 2 is represented. The pathsto T are those given by the set of assignments at point 4. of Example 2.

Semantic tableaux. A standard boolean solving technique is that of semantictableaux [Smu68]. Given an input formula , in each branch of the search treethe set {} is decomposed into a set of literals by the recursive application ofthe rules:

{1, ..., n} {ni=1 i} ()

{1} .... {n} {ni=1 i} (),

plus analogous rules for (), (), (), (), ( ), ( ). The main stepsare:

(closed branch) if contains both i and i for some subformula i of ,then is said to be closed and cannot be decomposed any further;

(solution branch) if contains only literals, then it is an assignment suchthat |=p ;

(-rule) if contains a conjunction, then the latter is unrolled into the setof its conjuncts;

(-rule) if contains a disjunction, then the search branches on one of thedisjuncts.

The search tree resulting from the decomposition is such that all its solu-tion branches are assignments in a collection Tableau(), whose disjunction ispropositionally equivalent to . Thus Tableau() is complete, but it may be re-dundant. For instance, in Figure 2 (center) the search tree of a semantic tableauapplied on the formula in Example 2 is represented. The solutions branches giverise to the redundant collection of assignments at point 2. of Example 2.

DPLL. The most commonly used boolean solving procedure is DPLL [DLL62].Given in input, DPLL tries to build recursively one assignment satisfying, at each step adding a new literal to and simplifying , according to thefollowing steps:

(base) If = >, then propositionally satisfies the original formula, so that is returned;

(backtrack) if = , propositionally falsifies the original formula, so thatDPLL backtracks;

(unit propagation) if a literal l occurs in as a unit clause, then DPLL isinvoked recursively on l=> and {l}, l=> being the result of substituting> for l in and simplifying;

(split) otherwise, a literal l is selected, and DPLL is invoked recursively onl=> and {l}. If this call succeeds, then the result is returned, otherwiseDPLL is invoked recursively on l= and {l}.

Standard DPLL can be adapted to work as a boolean enumerator by simplymodifying in the base case is returned with is added to the collection,and backtrack [GS96,Seb01].

The resulting set of assignments DPLL() is complete and strongly non-redundant [Seb01]. For instance, in Figure 2 (right) the search tree of DPLL

applied on the formula in Example 2 is represented. The non closed branchesgive rise to the set of assignments at point 4. of Example 2.

Notice the difference between an OBDD and (the search tree of) DPLL: first,the former is a direct acyclic graph whilst the second is a tree; second, in OBDDsthe order of branching variables if fixed a priori, while DPLL can choose eachtime the best variable to split.

4.2 Non-suitable Assign Enumerators

It is very important to notice that, in general, not every boolean solver can beadapted to work as a boolean enumerator. For instance, many implementationsof DPLL include also the following step between unit propagation and split:

(pure literal) if an atom occurs only positively [resp. negatively] in ,then DPLL is invoked recursively on => and {} [resp. = and {}];

(we call this variant DPLL+PL). DPLL+PL is complete as a boolean solver,but does not generate a complete collection of assignments, so that it cannot beused as an enumerator.

Example 3. If we used DPLL+PL as Assign Enumerator in Math-SAT andgave in input the formula in Example 2, DPLL+PL might return the one-element collection {{}}, which is not complete. If is (x2 + 1 0) and is(y x), x, y R, then {} is not satisfiable, so that Math-SAT would returnunsatisfiable. On the other hand, the formula is satisfiable because, e.g., theassignment {, } is satisfied by I(x) = 1.0 and I(y) = 0.0.

5 Requirements for Assign Enumerator andMathSolver

Apart from the efficiency of MathSolver which varies with the kind of prob-lem addressed and with the technique adopted, and will not be discussed hereand that of the SAT solver used which does not necessarily imply its efficiencyas an enumerator many other factors influence the efficiency of Math-SAT.

5.1 Efficiency requirements for Assign Enumerator

Polynomial vs. exponential space in Assign Enumerator. We wouldrather Math-SAT require polynomial space. As M can be exponentially bigwith respect to the size of , we would rather adopt a generate-check-and-dropparadigm: at each step, generate the next assignment i M, check its sat-isfiability, and then drop it or drop the part of it which is not common tothe next assignment before passing to the i + 1-step. This means that As-sign Enumerator must be able to generate the assignments one at a time.

To this extent, both DNF and OBDD are not suitable, as they force generat-ing the whole assignment collectionM one-shot. Instead, both semantic tableauxand DPLL are a good choice, as their depth-first search strategy allows for gen-erating and checking one assignment at a time.

Non-redundancy of Assign Enumerator. We want to reduce as much aspossible the number of assignments generated and checked. To do this, a keyissue is avoiding MathSolver being invoked on an assignment which either isidentical to an already-checked one or extends one which has been already foundunsatisfiable. This is obtained by using a non-redundant enumerator. To thisextent, semantic tableaux are not a good choice.

Non-redundant enumerators avoid generating partial assignments whose un-satisfiability is a propositional consequence of those already generated. If M isstrongly non-redundant, however, each total assignment propositionally satis-fying is represented by one and only one j M, and every j M representsunivocally 2|Atoms()||j | total assignments. Thus strongly non-redundant enu-merators also avoid generating partial assignments covering areas of the searchspace which are covered by already-generated ones.

For enumerators that are not strongly non-redundant, there is a tradeoffbetween redundancy and polynomial memory. In fact, when adopting a generate-check-and-drop paradigm, the algorithm has no way to remember if it has alreadychecked a given assignment or not, unless it explicitly keeps track of it, whichrequires up to exponential memory. Strong non-redundancy instead provides alogical warrant that an already checked assignment will never be checked again.

5.2 Exploiting the interaction between Assign Enumerator andMathSolver

Intermediate assignment checking. If an assignment is unsatisfiable, thenall its extensions are unsatisfiable. Thus, when the unsatisfiability of is de-tected during its recursive construction, this prevents checking the satisfiabilityof all the up to 2|Atoms()||

| truth assignments which extend . Thus, anotherkey issue for efficiency is the possibility of modifying Assign Enumerator sothat it can perform intermediate calls to MathSolver and it can take advantageof the (un)satisfiability information returned to prune the search space.

With semantic tableaux and DPLL, this can be easily obtained by intro-ducing an intermediate test, immediately before the (-rule) and the (split)step respectively, in which MathSolver is invoked on an intermediate assign-ment and, if it is inconsistent, the whole branch is cut [GS96,ABC+02]. WithOBDDs, it is possible to reduce an existing OBDD by traversing it depth-firstand redirecting to the F node the paths representing inconsistent assignments[CABN97]. However, this requires generating the non-reduced OBDD anyway.

Generating and handling conflict sets. Given an unsatisfiable assignment, we call a conflict set any unsatisfiable sub-assignment . (E.g., in Ex-ample 1 (2) and (3) are conflict sets for the assignment .) A key efficiencyissue for Math-SAT is the capability of MathSolver to return the conflict setwhich has caused the inconsistency of an input assignment, and the capabilityof Assign Enumerator to use this information to prune search.

For instance, both Belman-Ford algorithm and Simplex LP procedures canproduce conflict sets [ABC+02,WW99]. Semantic tableaux and DPLL can be en-hanced by a technique called mathematical backjumping [HPS98,WW99,ABC+02]:when MathSolver() returns a conflict set , Assign Enumerator can jumpback in its search to the deepest branching point in which a literal l is as-signed a truth value, pruning the search tree below. DPLL can be enhanced alsowith learning [WW99,ABC+02]: the negation of the conflict set is added inconjunction to the input formula, so that DPLL will never again generate anassignment containing the conflict set .

Generating and handling derived assignments. Another efficiency issuefor Math-SAT is the capability of MathSolver to produce an extra assign-ment derived deterministically from a satisfiable input assignment , and thecapability of Assign Enumerator to use this information to narrow the search.

For instance, in the procedure presented in [ABC+02,ACKS02],MathSolvercomputes equivalence classes of real variables and performs substitutions whichcan produce further assignments. E.g., if (v1 = v2), (v2 = v3) , (v1 v3 >2) 6 and is satisfiable, then MathSolver() finds that v1 and v3 belongto the same equivalence class and returns an extra assignment containing(v1 v3 > 2), which is unit-propagated away by DPLL.

Incrementality of MathSolver. Another efficiency issue of MathSolver isthat of being incremental, so that to avoid restarting computation from scratchwhenever it is given in input an assignment such that and has alreadyproved satisfiable. (This happens, e.g., at the intermediate assignments checkingsteps.) Thus, MathSolver should remember the status of the computationfrom one call to the other, whilst Assign Enumerator should be able to keeptrack of the computation status of MathSolver.

For instance, it is possible to modify a Simplex LP procedure so that tomake it incremental, and to make DPLL call it incrementally after every unitpropagation [WW99].

6 Implemented systems

In order to provide evidence of the generality of our approach, in this sectionwe briefly present some examples. First we enumerate some existing procedureswhich are captured by our framework. Then we present a brief description ofour own solver Math-SAT.

6.1 Examples

Our framework captures a significant amount of existing procedure used in var-ious application domains. We briefly recall some of them.

Omega [Pug92] is a procedure used for dependence analysis of software. It isan integer programming algorithm based on an extension of Fourier-Motzkinvariable elimination method. It handles boolean combinations of linear con-straints by simply pre-computing the DNF of the input formula.

TSAT [ACG99] is an optimized procedure for temporal reasoning able to handlesets of disjunctive temporal constraints. It integrates DPLL with a simplexLP tool, adding some form of forward checking and static learning.

LPSAT [WW99] is an optimized procedure for Math-formulas over linear realconstraints, used to solve problems in the domain of resource planning. Itaccept only formulas with positive mathematical constraints. LPSAT in-tegrates DPLL with an incremental simplex LP tool, and performs back-jumping and learning.

SMV+QUAD-CLP [CABN97] integrates OBDDs with a quadratic constraintsolver to verify transition systems with integer data values. It performs aform of intermediate assignment checking.

DDD [MLAH01] are OBDD-like data structures handling boolean combinationsof temporal constraints in the form (xz 3), which are used to verify timedsystems. They combine OBDDs with an incremental version of Belman-Fordminimal path and cycle detection algorithm.

Unfortunately, the last two approaches inherit from OBDDs the drawback ofrequiring exponential space in worst case.

6.2 A DPLL-based implementation of Math-SAT

In [ABC+02,ACKS02] we presented Math-SAT, a decision procedure for Math-formulas over boolean and linear mathematical propositions over the reals.Math-SAT uses as Assign Enumerator an implementation of DPLL, and as Math-Solver a hierarchical set of mathematical procedures for linear constraintson real variables able to handle theories of increasing expressive power. Thelatter include a procedure for computing and exploiting equivalence classesfrom equality constraints like (x = y), a Bellman-Ford minimal path algo-rithm with cycle detection for handling differences like (x y 4), and aSimplex LP procedure for handling the remaining linear constraints. Math-SAT implements and uses most of the tricks and optimizations described inSection 5. Technical details can be found in [ABC+02]. Math-SAT is availableat http://www.dit.unitn.it/~rseba/Mathsat.html.

In [ABC+02,ACKS02] preliminary experimental evaluations were carried outon tests arising from temporal reasoning [ACG99] and formal verification oftimed systems [ACKS02]. In the first class of problems, we have compared ourresults with the results of the specialized procedure Tsat; although Math-SATis able to tackle a wider class of problems, it runs faster that the Tsat solver,which is specialized to the problem class. In the second class, we have encodedbounded model checking problems for timed systems into the satisfiability ofMath-formulas, and run Math-SAT on them. It turned out that our approachwas comparable in efficiency with two well-established model checkers for timedsystems, and significantly more expressive [ACKS02].

References

[ABC+02] G. Audemard, P. Bertoli, A. Cimatti, A. Korni lowicz, and R. Sebastiani. ASAT Based Approach for Solving Formulas over Boolean and Linear Math-ematical Propositions. In Proc. CADE2002., 2002. To appear. Availableat http://www.dit.unitn.it/~rseba/publist.html.

[ACG99] A. Armando, C. Castellini, and E. Giunchiglia. SAT-based procedures fortemporal reasoning. In Proc. European Conference on Planning, CP-99,1999.

[ACKS02] G. Audemard, A. Cimatti, A. Korni lowicz, and R. Sebastiani. SAT-Based Bounded Model Checking for Timed Systems. 2002. Available athttp://www.dit.unitn.it/~rseba/publist.html.

[BCCZ99] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checkingwithout BDDs. In Proc. CAV99, 1999.

[Bry86] R. E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation.IEEE Transactions on Computers, C-35(8):677691, August 1986.

[CABN97] W. Chan, R. J. Anderson, P. Beame, and D. Notkin. Combining constraintsolving and symbolic model checking for a class of systems with non-linearconstraints. In Proc. CAV97, volume 1254 of LNCS, pages 316327, Haifa,Israel, June 1997. Springer-Verlag.

[DLL62] M. Davis, G. Longemann, and D. Loveland. A machine program for theoremproving. Journal of the ACM, 5(7), 1962.

[GS96] F. Giunchiglia and R. Sebastiani. Building decision procedures for modallogics from propositional decision procedures - the case study of modalK. In Proc. of the 13th Conference on Automated Deduction, LNAI, NewBrunswick, NJ, USA, August 1996. Springer Verlag.

[GS00] F. Giunchiglia and R. Sebastiani. Building decision procedures for modallogics from propositional decision procedures - the case study of modalK(m). Information and Computation, 162(1/2), October/November 2000.

[HPS98] I. Horrocks and P. F. Patel-Schneider. FaCT and DLP. In Procs.Tableaux98, number 1397 in LNAI, pages 2730. Springer-Verlag, 1998.

[KMS96] H. Kautz, D. McAllester, and Bart Selman. Encoding Plans in PropositionalLogic. In Proc. KR96, 1996.

[MLAH01] J. Moeller, J. Lichtenberg, H. Andersen, and H. Hulgaard. Fully SymbolicModel Checking of Timed Systems using Difference Decision Diagrams. InElectronic Notes in Theoretical Computer Science, volume 23. Elsevier Sci-ence, 2001.

[Pug92] W. Pugh. The Omega Test: a fast and practical integer programming al-goprithm for dependence analysis. Communication of the ACM, August1992.

[RV01] A. Robinson and A. Voronkov, editors. Handbook of Automated Reasoning.Elsevier Science Publishers, 2001.

[Seb01] R. Sebastiani. Integrating SAT Solvers with Math Reasoners: Foundationsand Basic Algorithms. Technical Report 0111-22, ITC-IRST, November2001. Available at http://www.dit.unitn.it/~rseba/publist.html.

[Smu68] R. M. Smullyan. First-Order Logic. Springer-Verlag, NY, 1968.[WW99] S. Wolfman and D. Weld. The LPSAT Engine & its Application to Resource

Planning. In Proc. IJCAI, 1999.